Jump to content

Rogue service process left after otherwise successful MBAM detection/deletion


Recommended Posts

My son's computer was attacked a couple of days ago when he browsed to a malicious website.

He ran MBAM (1.50.1, database version 5383), which detected and deleted *most* of the malicious attack artifacts, but not all.

The attack disabled his Microsoft Security Essentials -- removed the MSSE entry from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, disabled the MsMpSvc service, and launched a malicious service (in a rundll32.exe launched by the regular svchost.exe for the netsvcs service group).

The maliciously launched rundll32.exe loaded a dll named ntmsdba2.dll that had been dropped in c:\windows\system32.

When that process was running, MSSE was unable to initialize when launched -- it exited within seconds of being launched manually.

The attack-dropped ntmsdba2.dll had been attributed system, hidden, read-only, and ACLed to prevent deletion.

MBAM did not detect it when in that state.

I killed the rundll32.exe and then used cacls.exe to overwrite the ACLs with EVERYONE:F, and removed the S H & R attributes.

After doing that, I ran another MBAM scan, which *did* detect it, and an apparently associated registry key as well:

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\H3O8CABBPI (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:

c:\WINDOWS\system32\ntmsdba2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

We have a remaining issue however -- the svchost.exe is still attempting to launch the malicious service. The rundll32.exe does not exit, even though the dll has been deleted. Its command line is:

C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\ntmsdba2.dll",Bkmap

However there doesn't seem to be a service in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, or an entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs, corresponding to this process.

It's unclear to me what the mechanism is by which the process is being launched. It appears to be launched at boot time, but not in safe mode.

I have searched the registry for the string "ntmsdba2" anywhere in any key, value, or data -- nothing found. If the dll filename is being stored in the registry anywhere it must be in something other than clear text.

I have searched the file system (with Explorer set to view hidden and system files, of course) for files containing the string "ntmsdba2" -- no luck. Again, if it's being stored in the file system, it's not in clear text.

The svchost.exe and rundll32.exe program files themselves appear to be OK -- they byte-compare identical to copies of the respective file taken from an uninfected system running the same OS revision (WinXP SP3, with all critical updates pushed by Microsoft through 12/23/10).

I have checked the system for rootkits using GMER, RootRepeal, Sysinternals RootkitRevealer, HitManPro 3.5, and Kaspersky's TDSSKiller -- none of them reported anything that didn't have a legitimate explanation. But it seems I might have been using an older-than-current version of GMER. I also realize now that I scanned after having killed the suspicious rundll32.exe instance -- I should have left it running while scanning.

I originally reported this problem at http://forums.malwarebytes.org/index.php?showtopic=71123, and was asked to start a topic here with DDS, GMER, and MBAM logs per http://forums.malwarebytes.org/index.php?showtopic=9573.

Before running the scans to create these logs, I made sure to reboot the machine *without* killing the suspicious rundll32.exe instance. (One other thing to be aware of: the machine has been disconnected from our home network until I am sure it is malware-free -- so it's possible that event logs, etc., might show network timeouts or disconnected NICs.)

The (apparently newer version of) GMER linked to on http://forums.malwarebytes.org/index.php?showtopic=9573 did show a .text section in a kernel driver that reported as writeable, something I hadn't seen with my existing version of GMER (and scanning with the suspicious rundll32.exe instance no longer running).

I am curious as to why the rundll32.exe doesn't exit, if the dll named on its command line doesn't exist in the file system. One plausible explanation is that it's running injected code.

In addition to pasting the DDS log (below), I've attached the requested attach.txt from DDS and ark.txt from GMER, and 4 MBAM logs. The last of these (mbam-log-2010-12-25 (21-18-01).txt) was run in the machine's current state (same as DDS and GMER, ie, fresh boot of normal-mode Windows with the suspicious rundll32.exe instance running), immediately after GMER exited normally following its scan. The previous 3 MBAM logs are as follows:

mbam-log-2010-12-18 (13-45-28).txt - log of my son's initial response to the attack. MBAM seems to have gotten most of the bad stuff, but not the S+H+R attributed and restrictively ACLed attack artifact ntmsdba2.dll or anything from the address space of the suspicious rundll32.exe instance that loaded it.

mbam-log-2010-12-18 (14-02-22).txt - log of a second MBAM run my son made when he realized that MSSE was still crippled. It didn't find ntmsdba2.dll or the rundll32.exe that loaded it.

mbam-log-2010-12-24 (15-01-27).txt - MBAM run by me after I killed the rundll32.exe, and re-ACLed and re-attributed the ntmsdba2.dll attack artifact. MBAM now finds the dll and a (related?) registry key.

Merry Christmas, and I look forward to working with you on this.

Attach.txt

ark.txt

mbam_log_2010_12_18__13_45_28_.txt

mbam_log_2010_12_18__14_02_22_.txt

mbam_log_2010_12_24__15_01_27_.txt

mbam_log_2010_12_25__21_18_01_.txt

Link to post
Share on other sites

Argh! I forgot to paste the DDS log!

Here it is:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Jeremy at 14:23:51.51 on Sat 12/25/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1500 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: Norton Internet Worm Protection *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Jeremy\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page =

uStart Page = hxxp://www.yahoo.com/

uDefault_Page_URL = hxxp://www.msn.com

uSearch Bar =

uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant =

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File

TB: {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - No File

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [wcmdmgr] c:\windows\wt\updater\wcmdmgrl.exe -launch

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\mi1933~1\office\1033\phdintl.dll/phdContext.htm

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1290309790216

DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab

TCP: {67EFFA61-4D6A-465D-A5F1-683A0288137A} = 207.172.3.8,207.172.3.9

Filter: text/html - {d7d46a02-dfd9-4396-a4a4-f0fc69b8b499} -

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeremy\applic~1\mozilla\firefox\profiles\tf592upe.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=23-05-2010&tb_mrud=23-05-2010

FF - prefs.js: browser.startup.homepage - hxxp://my.earthlink.net/

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=23-05-2010&tb_mrud=23-05-2010&query=

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\download manager\npfpdlm.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Seekdns: {7BA9F755-DCD4-4B60-8AE8-EE3662C7C733} - c:\program files\mozilla firefox\extensions\{7BA9F755-DCD4-4B60-8AE8-EE3662C7C733}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video

FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]

R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [2010-10-2 52824]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]

S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-12-2 401920]

S3 kbeepm;kbeepm;c:\docume~1\jeremy\locals~1\temp\kbeepm.sys [2004-3-14 15872]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-3-30 17920]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-3-30 7680]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-3-30 22528]

=============== Created Last 30 ================

2073-10-27 15:55:34 2404352 ----a-w- c:\program files\microsoft games\halo custom edition\haloce.exe

2073-10-27 15:55:34 1835008 ----a-w- c:\program files\microsoft games\halo custom edition\haloceded.exe

2073-10-27 15:55:34 1118208 ----a-w- c:\program files\microsoft games\halo custom edition\Strings.dll

2010-12-22 21:53:50 -------- d-----w- c:\docume~1\jeremy\applic~1\Local

2010-12-22 19:24:06 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{54d77d9f-df6c-41bf-bd3d-1b7673dbf79d}\mpengine.dll

2010-12-14 21:29:20 78408 ----a-w- c:\windows\system32\zlib1.dll

2010-12-14 21:29:19 10833920 ----a-w- c:\windows\system32\libmfxsw32.dll

2010-12-14 21:29:18 10915840 ----a-w- c:\windows\system32\libmfxhw32.dll

2010-12-14 21:29:18 1003008 ----a-w- c:\windows\system32\libeay32.dll

2010-12-12 17:37:14 -------- d-----w- c:\program files\ToMMTi Systems

2010-12-10 02:22:10 -------- d-----w- c:\program files\Microsoft Directx

2010-12-09 01:12:14 -------- d-----w- c:\program files\GTA2 DEMO

2010-12-09 01:10:08 -------- d-----w- c:\docume~1\jeremy\applic~1\GetRightToGo

2010-12-06 22:13:05 -------- d-----w- c:\program files\GTA2

2010-12-05 03:15:02 63720 ----a-w- c:\temp\msvcrt-unusual-way\WindowsXP-KB884538-x86-Symbols-ENU.exe

2010-12-05 03:15:02 363752 ----a-w- c:\temp\msvcrt-unusual-way\WindowsXP-KB884538-x86-ENU.exe

2010-12-05 01:05:51 888424 ----a-w- c:\windows\system32\nvdispco32.dll

2010-12-05 01:05:51 813672 ----a-w- c:\windows\system32\nvgenco32.dll

2010-12-05 01:05:08 -------- d-----w- C:\NVIDIA

2010-12-04 16:24:19 -------- d-----w- c:\program files\Rockstar Games

2010-12-03 20:42:18 -------- d-----w- c:\docume~1\jeremy\applic~1\Bioshock2

2010-12-03 20:07:54 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2010-12-03 20:07:54 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

2010-12-03 20:07:40 -------- d-----w- c:\windows\system32\xlive

2010-12-03 20:07:39 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE

2010-12-03 03:44:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\Amazon

2010-12-03 01:01:37 -------- d-----w- c:\program files\Edmark

2010-11-28 18:08:19 51472 ----a-w- c:\windows\system32\imagecfg.exe

2010-11-28 17:04:34 -------- d-----w- c:\program files\SystemRequirementsLab

2010-11-27 02:30:38 -------- d-----w- c:\program files\Surreal

2010-11-27 01:44:53 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-11-27 01:44:50 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-11-27 01:43:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-11-27 01:25:46 77824 ----a-w- c:\windows\system32\tasklist.exe

2010-11-27 01:25:46 76288 ----a-w- c:\windows\system32\taskkill.exe

2010-11-27 01:25:46 121856 ----a-w- c:\windows\system32\schtasks.exe

==================== Find3M ====================

2010-12-05 01:06:16 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin

2010-12-05 01:06:16 1 ----a-w- c:\windows\system32\nvdrssel.bin

2010-12-05 01:06:14 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-12 00:44:54 94208 ----a-w- c:\windows\system32\dpl100.dll

2010-11-08 22:57:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-05 00:11:22 202448 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-10-16 18:55:00 6359552 ----a-w- c:\windows\system32\nv4_disp.dll

2010-10-16 18:55:00 61440 ----a-w- c:\windows\system32\OpenCL.dll

2010-10-16 18:55:00 4882432 ----a-w- c:\windows\system32\nvcuda.dll

2010-10-16 18:55:00 2932840 ----a-w- c:\windows\system32\nvcuvid.dll

2010-10-16 18:55:00 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll

2010-10-16 18:55:00 2293194 ----a-w- c:\windows\system32\nvdata.bin

2010-10-16 18:55:00 1462272 ----a-w- c:\windows\system32\nvapi.dll

2010-10-16 18:55:00 14532608 ----a-w- c:\windows\system32\nvoglnt.dll

2010-10-16 18:55:00 13012992 ----a-w- c:\windows\system32\nvcompiler.dll

2010-10-16 17:04:22 81920 ----a-w- c:\windows\system32\nvwddi.dll

2010-10-16 17:04:16 277608 ----a-w- c:\windows\system32\nvmccs.dll

2010-10-16 17:04:16 13851752 ----a-w- c:\windows\system32\nvcpl.dll

2010-10-16 17:04:16 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-10-16 17:04:14 156776 ----a-w- c:\windows\system32\nvsvc32.exe

2010-10-16 17:04:14 145000 ----a-w- c:\windows\system32\nvcolor.exe

2010-10-14 06:36:52 15451288 ----a-w- c:\windows\system32\xlive.dll

2010-10-14 06:36:50 13642904 ----a-w- c:\windows\system32\xlivefnt.dll

2010-10-07 17:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-10-07 17:23:02 75040 ----a-w- c:\windows\system32\jdns_sd.dll

2010-10-07 17:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-10-07 17:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-09-28 20:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

============= FINISH: 14:25:31.90 ===============

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.